Skip to content

Instantly share code, notes, and snippets.

@vegaasen

vegaasen/apache-https-oam-oim.md

Last active May 23, 2017 13:01
Show Gist options
  • Save vegaasen/dc9e1a07aaafd03617647b0ec7fee298 to your computer and use it in GitHub Desktop.
Save vegaasen/dc9e1a07aaafd03617647b0ec7fee298 to your computer and use it in GitHub Desktop.
Download ZIP
Configure Apache HTTPd with SSL/https for OAM - OIM
Raw
apache-https-oam-oim.md

Configure HTTPS OAM<->OIM

Introduction

This is a short summary on how to enable HTTPS between the two products:

  • OAM
  • OIM

Resources

Components needing configurations

  • Apache
  • Apache WebGate
  • OAM ** WebGate component
  • OIM ** Enterprise Manager

Configure apache

Generate certificates

# All certificates must be in *pem* format. Convert these:
openssl pkcs12 -in test_iam_domain_whatever_com-priv.pfx -nocerts -nodes -out test_iam_domain_whatever_com.private

Note: Prolly need to add a few new ln -s' to the environment.

Configuration

Add required configuration for the Apache instance. This includes configuration itself, pub/priv certificates and the chain itself.

Important configuration to be added in the httpd-ssl.conf-file:

#--HEADERS
	RequestHeader set IS_SSL ssl
	RequestHeader set WL-Proxy-SSL true

#--REWRITES
	RewriteCond %{QUERY_STRING} ^(.*)bpmWorklistHttpPort=80\&bpmWorklistHttpsPort=0(.*)$
	RewriteRule ^/identity/faces/adf.task-flow.*$ "https://%{HTTP_HOST}/identity/faces/adf.task-flow?%1bpmWorklistHttpPort=0\&bpmWorklistHttpsPort=443%2" [R=301,NE,QSD,L]
	Include conf/extra/domain/httpd-rewrites.conf

Important configuration to be added in the httpd-vhosts.conf-file:

#--REWRITES
	RewriteCond %{HTTPS} off
	RewriteCond %{REQUEST_URI} !^/identity/faces/adf.task-flow.*$
	RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

Configure OAM

OAM configuration

  • Log in to OAM and navigate to: Configuration > Access Manager Settings
  • Change the following properties: ** OAM Server Port: 443 ** OAM Server Protocol: https

OAM WebGate configuration

  • Log in to OAM and navigate to: Application Security > SSO Agents > (select WebGate in question)
  • Change the following properties: ** Preferred Host: <>:443 ** Logout Redirect URL: https://<>:443/<>
  • Click Save
  • Click Download

WebLogic configuration

First thing to do is to enable the "Weblogic Plugin". As we do not use the WL plugin on our Apache proxy servers, this actually does not matter. As the defined feature just makes WL aware that a proxy is being used in front of the WL instance:

Environment > Servers > (oim) > Configuration > Protocols > "[v] WebLogic Plug-In Enabled"

Second, define the proxied web-host and the https-port:

Environment > Servers > (oim) > Protocols > HTTP >
	Frontend Host: (hostname [e.g: the-uber-iam.somewhere.whatever.com])
	Frontend HTTP Port: 0
	Frontend HTTPS Port: 443

Click "Save" and restart the OIM-server instance.

Note: This requires that the configuration stuff in Apache exists (such as the RequestHeader-entries).

Configure Apache OAM WebGate

  • Use the downloaded zip-file from the step "Configure OAM > WebGate configuration"
  • Log on to the OIM Server (Linux)
  • Copy the file-contents in the ZIP-file to the webgate configuration ** (/home/oracle/apache_iam-webgate/generated/webgate/config)
  • Go to "Application Security > Host Identifiers" and select the environment you're working with
  • Add the hostnames that should be used (host:443)

Note: if the hostname(s) is not added, an error/401 will be thrown in the user' face :-). You'll notice it..

Configure OIM & SOA

This is a rather big step and requires several changes to be carried out.

Enterprise Manager configuration

MBeans

Change the following properties:

MBeans: oracle.iam > Server > oim > XMLConfig > Config > Disovery > Discovery > "OimExternalFrontEndURL" ====> https://the-uber-iam.somewhere.whatever.com:443

SOA > soa-infra > default > (choose any item) > (right-click) > SOA Infrastructure Common Properties > "Server URLs" > "Server URL" ====> https://the-uber-iam.somewhere.whatever.com

Restart OIM and SOA after this step :-).

Workflow configuration

Change the port for all of the various Workflows (both Approval Task and Challenge Task).

"Application Name" -> worklist. Change port from: (http: 80 => 0) (https: 0 => 443).

Restart SOA :-)

Errors

"Unable to invoke endpoint URI"

The following error:

Unable to invoke endpoint URI "https://the-uber-iam.somewhere.whatever.com:443/workflowservice/CallbackService" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: java.io.IOException: Invalid IPAddressName

May occur. This most likely means that you've misconfigured OIM somehow. Look into the EM-property and ensure its value is correct:

oracle.iam > Server > oim > XMLConfig > Config > Disovery > Discovery > "OimFrontEndURL" ====> http://server-name-01.domain.whatever.com:14000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment